Re: Draft finding - "Transitioning the Web to HTTPS"

On Mon, Jan 19, 2015 at 1:35 PM, Paul Libbrecht <> wrote:
> You got it right: we need to teach users to differentiate.
> And that could be done by UIs.
> Users' banks, and most financial statements sites, are probably identified
> by an EV cert… that's quite a difference to a startSSL cert in terms of UIs
> nowadays.
> That difference would be enough already to my taste.

No way. That is way too subtle a distinction. Users are not going to
remember what type of certificate a site used and based on that decide
to not work with it next time around (if it changed). Not to mention
that this would still leak all your credentials given that those are
scoped by origin.


Received on Monday, 19 January 2015 12:44:22 UTC